![]() This payload can be executed from either a removable drive or a hard drive. ![]() MISTCLOAK is essentially a launcher, which reads a specific encrypted file named usb.ini, which houses the second-stage payload, DARKDEW. Once the victim executes one of those binaries, it sideloads the MISTCLOAK malware, which disguises itself as a DLL. Rather, the victim has to manually execute one of two files on the drive, both of which are renamed versions of a legitimate application called USB Network Gate. Unlike some other malware campaigns that rely on infected USB drives, the malware in this campaign does not execute automatically when a victim inserts the drive into a computer. “The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems.” Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor,” an analysis by Mandiant researchers published Monday says. “Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE. The attack includes the use of legitimate tools as well as several new pieces of malware, one of which has the ability to self-replicate onto new drives. The campaign may have been ongoing since September 2021 but researchers at Mandiant discovered it recently, and found that the threat actor is relying on the older technique of deploying USB drives with malware on them as the initial infection vector. A recently discovered attack campaign likely run by threat actors in China has been targeting public and private organizations in the Philippines, Europe, and the United States for perhaps as long as a year using multi-stage malware that is capable of self-replicating and is designed to steal data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |